My wife and I were reviewing the stats in cPanel from our web host (I think they use awstats) and we noticed that with only 6 days completed we have almost maxed our 2Gb bandwidth usage for February.
The site being hosted holds a simple Wordpress blog site. We don’t even upload our pictures there. Images are uploaded to Flickr and linked from the blog. There is email usage, but not nearly to the volumes we are seeing in the stats.
It seems that each night between midnight and 4am – while we’re sleeping – a massive amount of POP3 traffic is being associated with our domain / web hosting account. Any ideas for how I can investigate this from my end or what I should tell the techs at the web host to look for? It seems to me that their server is being used as a spam distribution or relay point and that they need to go lock some stuff down, but I am not sure how to explain it to them.
Thus far, their troubleshooting has amounted to “wow! I guess you get a lot of email after midnight!”. We explained that our computers are on 24/7 and the email client is set to download every 1 minute- so it is virtually impossible for us to have any such spike in traffic.
February 7th, 2007, 05:24 PM
If it's pop3 traffic, shouldn't a packetsniffer be able to capture said traffic so you can view the contents in the morning? If you're relaying emails, you should be getting traffic in from one server, and traffic out to another server as well.
If there is no/less traffic than reported, someone else may be spoofing your domain. But I'd be opening ethereal anyways.
February 8th, 2007, 05:14 PM
yuo should know better
Tony, is she useign an uptodate version of wordpress. dose her host allow f_open php calls. PHP is a very insecure language, wordpress is an extreamily insecure app. One of the hosting providers I worked for had thsi issue you could be looing at one of two things. Some one uploaded a spam remailer to your system and its now spamming the world via file uploads in wordpress. or someone is hitting wordpresses email ability with a email injection attack. dig through the apache logs jsut prio to the spam goign out and see if anyone is access an unuseual php page. other wise look for odd files on the system. This looks like the typical fallout of a php compromise
February 9th, 2007, 05:03 AM
Tell your ISp that you will switch ISPs due to the fact that they do not filter spam..unless they do..and you have just not turned on the filters??
and if they dont listen...start forwarding the spam to the tech support....
that usually does it :bigsmile:
or switch providers....its painless really...find one with filters ;)
February 9th, 2007, 01:26 PM
morganlefay: I don't think taht will help. some one is useing tonys account as a spam relay...tony if you could get them to look at the mail queue durign one of the spikes I bet it would be loaded with spam.
February 9th, 2007, 02:02 PM
Is this an ISP mailserver...or do you have your own mail server??
If its your mail server...what flavor??
If its the isps mail server....change ISPs...cause they dont seem to have a fricken clue if they are allowing mail to relay :eek7:
February 9th, 2007, 07:07 PM
If the account were being used as a spam relay wouldn't we be talking about a large amount of SMTP traffic rather then POP3?
Seems it's time to find a new provider. Without access to the system, network or detailed logs you are likely S.O.L.
February 10th, 2007, 06:17 AM
If it really is POP traffic ..change passwords..
make sure the machines accessing the the mail are clean....
if it is smpt........check the mail server....